[Active] Search engine redirect, 8 steps included

preston67 · Sep 18, 2010

All of my search engines redirect 75% of the results links to random adware sites.
I have ran the 8 steps. Avira anti-virus kept reporting TR/Cryp.XPACK.Gen2, but could not remove it even in safe mode and in fact computer would usually become unstable after it tried to remove them. Avira also seemed unstable constantly popping up a corner window warning about these but unable to resolve it.

Thanks in advance for any help.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4636

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18943

9/17/2010 12:01:58 AM
mbam-log-2010-09-17 (00-01-58).txt

Scan type: Quick scan
Objects scanned: 167122
Time elapsed: 14 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{3541dacd-016c-f3a6-84f5-2ec457a3b36f} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\sysservice.dll (Backdoor.IRCBot) -> Quarantined and deleted successfully.
C:\Users\owner\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.

GMER log
=========
Rootkit scan 2010-09-17 08:35:23
Windows 6.0.6001 Service Pack 1
Running: wjb6nmcz.exe; Driver: C:\Users\owner\AppData\Local\Temp\kwlcapow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1076] kernel32.dll!CreateProcessInternalW 764198DD 5 Bytes JMP 0078874A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74BE88B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C298A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74BEB9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74BDFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74BE7A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74BDEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74C1B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74BEBC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74BE074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74BE06B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74BD71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C6D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74C07379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74BDE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74BD697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74BD69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1076] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74BE2465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bdcbfde
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bed307a
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6bdcbfde (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6bed307a (not active ControlSet)

---- EOF - GMER 1.0.15 ----

preston67 · Sep 18, 2010

DDS

=================================
DDS (Ver_10-03-17.01) - NTFSx86
Run by owner at 18:13:18.54 on Fri 09/17/2010
Internet Explorer: 8.0.6001.18943 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.822 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\schtasks.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\vsnp2uvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lkcitdl.exe
C:\Windows\system32\lkads.exe
C:\Windows\system32\lktsrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Verizon\VSP\ServicepointService.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe
C:\cleanup\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bing.com/
uSearch Bar = Preserve
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Browser protection: {fb9ffb4b-9680-4256-8178-5ecdb2c19b23} - c:\progra~1\spynom~1\SNMIEG~1.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [OsdMaestro] "c:\program files\hewlett-packard\on-screen osd indicator\OSD.exe"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [PC Hardware Manager] c:\program files\pc hardware manager\PCHardwareManager.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [SDActiveMonitor] c:\program files\spywaredetector\SDActiveMonitor.exe -AUTO
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN
mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: att.com\*.vpn
Trusted Zone: att.com\www.e-access
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://cassl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://cassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

preston67 · Sep 18, 2010

Dds2

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\b82lmtqd.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\verizon\vsp\nprpspa.dll
FF - plugin: c:\users\owner\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {9398FD24-58F0-47BA-A72E-0EB27CFDB872} - c:\users\owner\appdata\local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]
R3 asusledbt;ASUS Bluetooth LED Device Driver;c:\windows\system32\drivers\asusledbt.sys [2007-8-28 24880]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\drivers\athrusb.sys [2007-8-28 858112]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2007-8-28 28464]
R3 CFXPDisplayName;CFXPDisplayName;c:\windows\system32\drivers\CFACPI.sys [2007-8-28 7680]
R3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-8-28 366080]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-10 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-10 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-4-9 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-4-10 40552]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]

=============== Created Last 30 ================

2010-09-17 06:41:15 0 d-----w- c:\users\owner\appdata\roaming\Malwarebytes
2010-09-17 06:40:48 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 06:40:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 06:40:45 0 d-----w- c:\programdata\Malwarebytes
2010-09-17 06:40:44 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 02:52:07 65536 --sha-w- c:\users\owner\ntuser.dat{6382b99c-c206-11df-9a3e-001a6bed307a}.TM.blf
2010-09-17 02:52:07 524288 --sha-w- c:\users\owner\ntuser.dat{6382b99c-c206-11df-9a3e-001a6bed307a}.TMContainer00000000000000000002.regtrans-ms
2010-09-17 02:52:07 524288 --sha-w- c:\users\owner\ntuser.dat{6382b99c-c206-11df-9a3e-001a6bed307a}.TMContainer00000000000000000001.regtrans-ms
2010-09-17 01:34:20 0 d-----w- C:\cleanup
2010-09-16 14:03:17 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-09-15 09:39:23 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 09:39:19 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 09:39:12 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 09:39:06 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-13 06:11:35 0 d-----w- C:\Cems Data Properties
2010-09-06 14:36:33 0 d-----w- c:\programdata\Sun
2010-09-06 14:36:11 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 05:27:40 1152 ----a-w- c:\windows\system32\windrv.sys
2010-09-03 05:27:29 0 d-----w- c:\program files\SpyNoMore
2010-08-27 16:23:34 0 d-----w- C:\389294be31a859d6fb

==================== Find3M ====================

2010-06-26 06:05:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02:15 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02:15 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25:02 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:18:15 2036736 ----a-w- c:\windows\system32\win32k.sys
2010-04-26 15:29:12 51200 ----a-w- c:\windows\inf\infpub.dat
2010-04-26 15:29:12 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-04-10 05:01:19 86016 ----a-w- c:\windows\inf\infstor.dat
2008-08-09 15:41:51 174 --sha-w- c:\program files\desktop.ini
2008-08-09 15:32:38 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-07-04 04:57:45 16384 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\feeds cache\index.dat
2008-07-04 04:57:45 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008070320080704\index.dat
2007-08-28 22:42:49 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:15:30.69 ===============

crunchie · Sep 18, 2010

Hi and welcome to TechSpot forums .

====

Please do the following in the order given;

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop

Physically disconnect from the internet.

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply.

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

======================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

preston67 · Sep 18, 2010

ComboFix:

ComboFix 10-09-17.04 - owner 09/18/2010 7:46.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2047.1147 [GMT -7:00]
Running from: c:\users\owner\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}
c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\chrome.manifest
c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\chrome\content\_cfg.js
c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\chrome\content\overlay.xul
c:\users\owner\AppData\Local\{9398FD24-58F0-47BA-A72E-0EB27CFDB872}\install.rdf
c:\users\owner\AppData\Local\Windows Server
c:\users\owner\AppData\Local\Windows Server\flags.ini
c:\users\owner\AppData\Local\Windows Server\server.dat
c:\users\owner\AppData\Local\Windows Server\uses32.dat
c:\windows\system32\AutoRun.inf
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

Infected copy of c:\windows\system32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe

Infected copy of c:\windows\system32\wininit.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))
.

2010-09-18 14:58 . 2010-09-18 15:30 -------- d-----w- c:\users\owner\AppData\Local\temp
2010-09-18 14:58 . 2010-09-18 14:58 -------- d-----w- c:\users\KNOWN~1\AppData\Local\temp
2010-09-18 14:58 . 2010-09-18 14:58 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-09-18 14:58 . 2010-09-18 14:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-17 06:41 . 2010-09-17 06:41 -------- d-----w- c:\users\owner\AppData\Roaming\Malwarebytes
2010-09-17 06:40 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-17 06:40 . 2010-09-17 06:40 -------- d-----w- c:\programdata\Malwarebytes
2010-09-17 06:40 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-17 06:40 . 2010-09-17 06:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-17 05:17 . 2010-09-17 05:25 680 ----a-w- c:\users\owner\AppData\Local\d3d9caps.dat
2010-09-17 01:34 . 2010-09-18 06:36 -------- d-----w- C:\cleanup
2010-09-16 14:03 . 2010-03-05 14:01 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-09-15 09:39 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
2010-09-15 09:39 . 2010-08-17 13:32 126464 ----a-w- c:\windows\system32\spoolsv.exe
2010-09-15 09:39 . 2010-04-05 16:08 317952 ----a-w- c:\windows\system32\MP4SDECD.DLL
2010-09-15 09:39 . 2010-05-27 19:16 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-09-13 06:11 . 2010-09-13 06:11 -------- d-----w- C:\Cems Data Properties
2010-09-06 14:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-03 05:27 . 2010-09-03 05:27 1152 ----a-w- c:\windows\system32\windrv.sys
2010-09-03 05:27 . 2010-09-17 04:48 -------- d-----w- c:\program files\SpyNoMore
2010-08-27 16:23 . 2010-08-27 16:23 -------- d-----w- C:\389294be31a859d6fb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 06:23 . 2010-04-13 00:44 241 ----a-w- c:\users\owner\tsMS.reg
2010-09-17 07:07 . 2007-08-28 21:50 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-17 06:49 . 2010-06-02 22:03 -------- d-----w- c:\users\owner\AppData\Roaming\Wubir
2010-09-15 11:08 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-09-14 06:04 . 2008-09-03 05:00 -------- d-----w- c:\program files\KEPServerEx
2010-09-14 05:58 . 2008-06-17 05:33 -------- d-----w- c:\program files\ETI
2010-09-06 14:36 . 2007-08-28 22:40 -------- d-----w- c:\program files\Common Files\Java
2010-09-06 14:36 . 2007-08-28 22:40 -------- d-----w- c:\program files\Java
2010-09-06 10:26 . 2008-06-21 06:10 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-27 17:08 . 2010-08-17 06:01 120 ----a-w- c:\users\owner\AppData\Local\Ptepepovaxesa.dat
2010-08-27 17:08 . 2010-08-17 06:01 0 ----a-w- c:\users\owner\AppData\Local\Dnaranofowa.bin
2010-08-26 19:07 . 2010-06-16 03:43 -------- d-----w- c:\program files\Verizon
2010-08-18 05:20 . 2010-08-15 04:07 -------- d-----w- c:\program files\McAfee Security Scan
2010-08-17 04:45 . 2010-08-08 03:56 -------- d-----w- c:\users\owner\AppData\Roaming\Ipfey
2010-08-15 04:07 . 2010-08-15 04:07 -------- d-----w- c:\programdata\McAfee Security Scan
2010-07-29 04:39 . 2010-04-10 07:01 -------- d-----w- c:\program files\McAfee
2010-07-15 22:18 . 2010-04-10 07:01 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-26 06:05 . 2010-09-16 13:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-09-16 13:49 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-09-16 13:49 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-09-16 13:49 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:18 . 2010-08-12 03:07 2036736 ----a-w- c:\windows\system32\win32k.sys
2007-08-28 22:42 . 2007-08-28 22:16 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"PC Hardware Manager"="c:\program files\PC Hardware Manager\PCHardwareManager.exe" [2006-11-23 469504]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-26 1261568]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-25 90191]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-25 81920]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-11-18 4269296]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2010-03-17 1565696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-6-22 739880]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Preload.lnk - c:\hp\bin\HPUtilCK.exe [2007-8-28 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2007-05-04 858112]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
S2 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [2009-11-18 668912]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-12-17 497856]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 asusledbt;ASUS Bluetooth LED Device Driver;c:\windows\system32\DRIVERS\asusledbt.sys [2006-10-03 24880]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2007-05-17 28464]
S3 CFXPDisplayName;CFXPDisplayName;c:\windows\system32\DRIVERS\CFACPI.sys [2006-10-24 7680]
S3 hcw18bda;Hauppauge WinTV 418 Driver;c:\windows\system32\drivers\hcw18bda.sys [2007-04-18 366080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 19:22]

2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-10 19:22]

2010-09-17 c:\windows\Tasks\User_Feed_Synchronization-{BA7A0505-FF05-49E9-B716-0D5F8133CC87}.job
- c:\windows\system32\msfeedssync.exe [2010-09-16 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=Pavilion&pf=desktop
Trusted Zone: att.com\*.vpn
Trusted Zone: att.com\www.e-access
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://cassl10.vpn.att.com/CACHE/stc/1/binaries/vpnweb.cab
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://cassl10.vpn.att.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\users\owner\AppData\Roaming\Mozilla\Firefox\Profiles\b82lmtqd.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Verizon\VSP\nprpspa.dll
FF - plugin: c:\users\owner\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-Run-SDActiveMonitor - c:\program files\SpywareDetector\SDActiveMonitor.exe
AddRemove-MegaTune 2.25_is1 - c:\program files\MegaSquirt\MegaTune2.25\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 08:33
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4704)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\btncopy.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\schtasks.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lkcitdl.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Verizon\VSP\VerizonServicepointComHandler.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
.
**************************************************************************
.
Completion time: 2010-09-18 08:40:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-18 15:40

Pre-Run: 362,824,163,328 bytes free
Post-Run: 362,861,932,544 bytes free

- - End Of File - - 408C258DC94F39E93E641E1B2A1CA092

preston67 · Sep 18, 2010

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: HP-Pavilion
System Product Name: GN583AA-ABA IQ775
Logical Drives Mask: 0x0000007c

Kernel Drivers (total 162):
0x82015000 \SystemRoot\system32\ntkrnlpa.exe
0x823CE000 \SystemRoot\system32\hal.dll
0x80401000 \SystemRoot\system32\kdcom.dll
0x80409000 \SystemRoot\system32\PSHED.dll
0x8041A000 \SystemRoot\system32\BOOTVID.dll
0x80422000 \SystemRoot\system32\CLFS.SYS
0x80463000 \SystemRoot\system32\CI.dll
0x80543000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805BF000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8060F000 \SystemRoot\system32\drivers\acpi.sys
0x80655000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8065E000 \SystemRoot\system32\drivers\msisadrv.sys
0x80666000 \SystemRoot\system32\drivers\pci.sys
0x8068D000 \SystemRoot\System32\drivers\partmgr.sys
0x8069C000 \SystemRoot\system32\drivers\volmgr.sys
0x806AB000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F5000 \SystemRoot\system32\drivers\pciide.sys
0x806FC000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8070A000 \SystemRoot\System32\drivers\mountmgr.sys
0x8071A000 \SystemRoot\system32\drivers\atapi.sys
0x80722000 \SystemRoot\system32\drivers\ataport.SYS
0x80740000 \SystemRoot\system32\drivers\nvstor32.sys
0x8075D000 \SystemRoot\system32\drivers\storport.sys
0x8079E000 \SystemRoot\system32\drivers\fltmgr.sys
0x807D0000 \SystemRoot\system32\drivers\fileinfo.sys
0x807E0000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x8260D000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8267E000 \SystemRoot\system32\drivers\ndis.sys
0x82789000 \SystemRoot\system32\drivers\msrpc.sys
0x827B4000 \SystemRoot\system32\drivers\NETIO.SYS
0x87C0A000 \SystemRoot\System32\Drivers\Ntfs.sys
0x87D19000 \SystemRoot\system32\drivers\volsnap.sys
0x87D52000 \SystemRoot\System32\Drivers\spldr.sys
0x87D5A000 \SystemRoot\System32\Drivers\mup.sys
0x87D69000 \SystemRoot\System32\drivers\ecache.sys
0x87D90000 \SystemRoot\system32\drivers\disk.sys
0x87DA1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x87DC2000 \SystemRoot\system32\drivers\crcdisk.sys
0x827EE000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x87C00000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x807E9000 \SystemRoot\system32\DRIVERS\amdk8.sys
0x8BC0B000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8C04B000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8C0EA000 \SystemRoot\System32\drivers\watchdog.sys
0x8C0F7000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8C101000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8C13F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8C14E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C166000 \SystemRoot\system32\drivers\hcw18bda.sys
0x8C1C0000 \SystemRoot\system32\drivers\ks.sys
0x8C1EA000 \SystemRoot\system32\drivers\BdaSup.SYS
0x8C1ED000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x80600000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x805CC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8C208000 \SystemRoot\system32\DRIVERS\nvmfdx32.sys
0x8C30B000 \SystemRoot\system32\DRIVERS\CFACPI.sys
0x8C313000 \SystemRoot\system32\DRIVERS\VMNetSrv.sys
0x8C322000 \SystemRoot\system32\DRIVERS\dne2000.sys
0x8C340000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8C36E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8C379000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8C390000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8C39B000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8C3BE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8C3CD000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8C3E1000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x805DE000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8BC00000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x82600000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8C3F6000 \SystemRoot\system32\DRIVERS\swenum.sys
0x805EE000 \SystemRoot\system32\DRIVERS\circlass.sys
0x8C607000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C611000 \SystemRoot\system32\DRIVERS\asusledbt.sys
0x8C61B000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C628000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C65C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8C66D000 \SystemRoot\system32\drivers\ADIHdAud.sys
0x8C6C7000 \SystemRoot\system32\drivers\portcls.sys
0x8C6F4000 \SystemRoot\system32\drivers\drmk.sys
0x8C719000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8C722000 \SystemRoot\System32\Drivers\Null.SYS
0x8C729000 \SystemRoot\System32\Drivers\Beep.SYS
0x8C739000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8C740000 \SystemRoot\System32\drivers\vga.sys
0x8C74C000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8C76D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8C775000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8C77D000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8C788000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8C796000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x90C0F000 \SystemRoot\System32\drivers\tcpip.sys
0x90CF8000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x90D13000 \SystemRoot\System32\Drivers\Mpfp.sys
0x90D3C000 \SystemRoot\system32\DRIVERS\tdx.sys
0x90D52000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0x90D64000 \SystemRoot\system32\DRIVERS\smb.sys
0x90D78000 \SystemRoot\system32\drivers\afd.sys
0x90DC0000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8C79F000 \SystemRoot\system32\DRIVERS\pacer.sys
0x90DF2000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8C7B5000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x90E0C000 \??\C:\Windows\system32\Drivers\vmm.sys
0x90E47000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x90E83000 \SystemRoot\system32\drivers\nsiproxy.sys
0x90E8D000 \SystemRoot\system32\drivers\mfehidk.sys
0x90EC0000 \SystemRoot\System32\Drivers\dfsc.sys
0x90ED7000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x90EE0000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x90EF0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x90EF2000 \SystemRoot\System32\Drivers\crashdmp.sys
0x90EFF000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x90F09000 \SystemRoot\System32\Drivers\dump_nvstor32.sys
0x90F26000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x90F2E000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x90F40000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9A4B0000 \SystemRoot\System32\win32k.sys
0x90F49000 \SystemRoot\System32\drivers\Dxapi.sys
0x90F53000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x90F6A000 \SystemRoot\system32\DRIVERS\usbcir.sys
0x90F80000 \SystemRoot\system32\DRIVERS\hidir.sys
0x90F8B000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x90F97000 \SystemRoot\System32\Drivers\bthport.sys
0x90FD1000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x90FE2000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x8C7C8000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x80C0A000 \SystemRoot\system32\drivers\btwavdt.sys
0x80C77000 \SystemRoot\system32\drivers\btwaudio.sys
0x80CF3000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
0x80CFD000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x80D00000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9A6D0000 \SystemRoot\System32\TSDDD.dll
0x9A6F0000 \SystemRoot\System32\cdd.dll
0x80D0F000 \SystemRoot\system32\drivers\luafv.sys
0x80D32000 \SystemRoot\system32\drivers\spsys.sys
0x80DE1000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x87DCB000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x80DF1000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x90FEC000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9F80A000 \SystemRoot\system32\drivers\HTTP.sys
0x9F877000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9F894000 \SystemRoot\system32\DRIVERS\bowser.sys
0x9F8AD000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9F8C2000 \SystemRoot\system32\drivers\mrxdav.sys
0x9F8E2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9F901000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9F93A000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9F952000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9F979000 \SystemRoot\System32\DRIVERS\srv.sys
0xA0607000 \SystemRoot\system32\DRIVERS\snp2uvc.sys
0xA095A000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xA0967000 \SystemRoot\system32\DRIVERS\sncduvc.SYS
0xA0986000 \SystemRoot\System32\Drivers\cvintdrv.SYS
0xADE0D000 \SystemRoot\system32\drivers\peauth.sys
0xADEEB000 \SystemRoot\System32\Drivers\secdrv.SYS
0xADEF5000 \SystemRoot\System32\drivers\tcpipreg.sys
0xADF01000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xADF16000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xADF28000 \SystemRoot\system32\drivers\mfebopk.sys
0xADF2F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xADF41000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xADF57000 \SystemRoot\system32\drivers\mfesmfk.sys
0x76E70000 \Windows\System32\ntdll.dll

Processes (total 94):
0 System Idle Process
4 System
416 C:\Windows\System32\smss.exe
548 csrss.exe
612 C:\Windows\System32\wininit.exe
628 csrss.exe
660 C:\Windows\System32\services.exe
672 C:\Windows\System32\lsass.exe
680 C:\Windows\System32\lsm.exe
828 C:\Windows\System32\svchost.exe
888 C:\Windows\System32\svchost.exe
920 C:\Windows\System32\svchost.exe
976 C:\Windows\System32\svchost.exe
1008 C:\Windows\System32\svchost.exe
1024 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\winlogon.exe
1156 C:\Windows\System32\audiodg.exe
1180 C:\Windows\System32\svchost.exe
1196 C:\Windows\System32\SLsvc.exe
1248 C:\Windows\System32\svchost.exe
1348 C:\Windows\System32\svchost.exe
1372 C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
1608 C:\Windows\System32\spoolsv.exe
1632 C:\Windows\System32\svchost.exe
2024 C:\Windows\System32\taskeng.exe
268 C:\Windows\System32\dwm.exe
436 C:\Windows\explorer.exe
1512 C:\hp\support\hpsysdrv.exe
1676 C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
1964 C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
2016 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
316 C:\Windows\System32\schtasks.exe
720 C:\Program Files\Analog Devices\Core\smax4pnp.exe
1708 C:\Windows\vsnp2uvc.exe
2020 C:\Windows\System32\rundll32.exe
1432 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1840 C:\Program Files\McAfee.com\Agent\mcagent.exe
1824 C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
1852 C:\Program Files\Verizon\McciTrayApp.exe
1868 C:\Program Files\Windows Sidebar\sidebar.exe
1016 C:\Windows\ehome\ehtray.exe
1800 C:\Program Files\Windows Media Player\wmpnscfg.exe
1820 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
2064 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2072 C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
2080 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
2192 C:\Windows\ehome\ehmsas.exe
2664 C:\Windows\System32\svchost.exe
2696 C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
2732 C:\Windows\System32\svchost.exe
2860 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2916 C:\Windows\System32\lkcitdl.exe
2964 C:\Windows\System32\lkads.exe
2976 C:\Windows\System32\lktsrv.exe
2988 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
3020 C:\Program Files\Common Files\Motive\McciCMService.exe
3084 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
3168 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
3180 C:\Windows\System32\rundll32.exe
3240 C:\Program Files\Common Files\microsoft shared\VS7Debug\mdm.exe
3292 C:\Program Files\McAfee\MPF\MpfSrv.exe
3320 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
3336 C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
3404 C:\Windows\System32\svchost.exe
3428 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
3456 C:\Program Files\Verizon\VSP\ServicepointService.exe
3520 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
3596 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
3664 C:\Windows\System32\svchost.exe
3808 C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
3872 C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
3980 C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
4020 C:\Windows\System32\svchost.exe
4048 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
1976 C:\Windows\System32\SearchIndexer.exe
2616 WUDFHost.exe
1624 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3976 unsecapp.exe
3924 WmiPrvSE.exe
2256 C:\Program Files\Windows Media Player\wmpnetwk.exe
1808 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
4172 WmiPrvSE.exe
5468 C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
5544 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
5712 C:\Windows\System32\taskeng.exe
5840 C:\Program Files\Mozilla Firefox\firefox.exe
4116 C:\Windows\System32\SearchProtocolHost.exe
4508 C:\Windows\System32\SearchFilterHost.exe
5392 C:\Program Files\Mozilla Firefox\plugin-container.exe
5828 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
5928 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
1296 C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
5012 C:\Windows\explorer.exe
4752 C:\cleanup\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000072`2ab58000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD501LJ, Rev: CR10

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
SHA1: 161E5DF10EB9B6EAC4AA8DF99305EF77B11BEBD8

Done!

crunchie · Sep 18, 2010

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\windrv.sys

=============

Are you still being re-directed?

preston67 · Sep 18, 2010

My apologies I posted earlier thank you very much and that the problem was solved, but I never pressed submit on my post - it was sitting here unposted when I got back to the computer tonight.

Virus Total said 0/43 hits on windrv.sys, no indications of a problem.

Problem does appear to be solved, thank you crunchie and TechSpot forums, you guys are really doing a great service here.

crunchie · Sep 18, 2010

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

===========

You are welcome .

TechSpot

[Active] Search engine redirect, 8 steps included

preston67 Newcomer, in training

Attached Files:

Attach.txt

preston67 Newcomer, in training

preston67 Newcomer, in training

crunchie Malware Helper

preston67 Newcomer, in training

preston67 Newcomer, in training

crunchie Malware Helper

preston67 Newcomer, in training

crunchie Malware Helper